This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Data Control and Outlook 2007

I have a case open with Tech Support on this issue, but unfortunately, my confidence is low on a resolution.  They are unable to replicate my issue.  I have exported all of my Data Control rules, files involved, etc.  They just don't see the problem.

The problem is this:  I have a sample file with all of the triggers known to man-kind for triggering Data Control.  And it works perfectly whenever I copy the file to an external storage device such as a USB Drive or SD Card.  Works great.

But, I can open up an email and send this same file as an attachment without any detection whatsoever.  I've replicated this on two different machines in my environment.  One XP.  One Windows 7.  Using Outlook 2007.  Using Outlook Express.  Running Outlook in Safemode.  Copied from a local disk or network share.

The program is essentially useless if you can email confidential documents undetected like some kind of virtual Maginot Line.  I'd love some suggestions or feedback that might point me to a solution, since I'm probably going to have to figure this out myself.

:17511


This thread was automatically locked due to age.
  • Excuse the seemingly dumb question - where does this file reside? Did you read the thread "browser upload not intercepted"? Smells like it ...

    Christian
    :17515
  • The file resides on my local C drive in my download directory.  I also tested it on a redirected mydocs folder on my SAN.

    There is no browser involved.  Just the full Outlook 2007 client running in Cached mode.  Tech support claims it works fine for them.  Verbose logging detects absolutly nothing.  Copy to a SD card triggers Data Control correctly.  Outlook is invisible to Data Control in my situation.

    :17523

    Adam in DC

  • There is no browser involved

    If you read John Stringer's post in the associated thread (The exclusions only apply to monitored applications and not storage monitoring (removable or optical) ) carefully you note that it says applications - thus the same logic applies to browsers, mail clients and whatever monitored applications are included.

    I had the same experience - Support could not reproduce the issue, I encountered it on some machines but not others (I was mislead as I saw it only on W7 and W2k8) and the case did not progress until I read I may have found a massive hole in Data Control which is slightly worring? - then it made click (and I had the opposite problem: seeing that what applies to mail also applies to browser). Using Process Monitor I saw that the file was only "touched" but not scanned - then it was obvious.

    Christian

    :17545
  • Dear Christian:

    Thanks for including the link to the other article.  At first I thought you weren't understanding my issue, but you really have identified the problem exactly and I'm even more dumbfounded that this product is actually working as designed.  Here's how I validated your hunch.  I copied the file from C:\Users\Adam\Download to the root of C:\

    Data Control then worked when I attempted to email the file.  

    So Sophos excludes user profiles from being scanned when emailing files....even though copying to usb triggers the data control from within profiles!!!  But only in the case of remote files being excluded from scanning in AV ?  Or something like that?  

    What I can't believe is that numerous Sophos technicians are putting me through all sorts of tests, FOR WEEKS, when their product is working, as said in the other post, "Broken As Designed" or BAD.  I will look into testing the remote scanning feature to see if enabling it causes a hit in performance and then maybe this feature might be worth something.  

    I wasn't expecting foolproof.  But don't tell me about data control if the product only works when copying....but you can email to your heart's desire any file you want...if remote scanning is disabled?!!  And then your engineers don't know this to help the customer.  

    Very disappointed - more so in them wasting my time than anything.

    :17569

    Adam in DC

  • Fine that the problem is identified. And before I go into an attempted explanation ... What I can't believe is that numerous Sophos technicians are putting me through all sorts of tests - you can always send feedback to Support and you should do so. Of course they should know, but as part of me heads a support group I understand the situation. Nevertheless your time has been wasted and you should state this (next time ask me first :smileyvery-happy: ... :smileywink:) 

    DLP is tricky - and most of us never thought much about how it really works (and expect kinda magic although we know better about IT). Now here's what I think I understand so far:

    Destination

    As of now there are two distinct groups of destinations: Storage and Applications. If you are content with the Explorer-only restriction Storage is no problem. If you turn on storage monitoring DLP only permits one application to open for write to the device - Explorer. All other applications are denied access. DLP knows how to figure out what Explorer is about to do and thus can "easily" apply the rules.  

    Applications is a different matter. There's one application DLP is confident about: Explorer.- the rest is rather arcane. All DP can do is watch for OPEN requests. As there are no file system semantics for OPEN_AS_SEND_ATTACHMENT or OPEN_FOR_BROWSER_UPLOAD (and if there were applications would attempt to do without them) it's guesswork. So DLP relies on the AV scanner to get notified of opens. Then it has to determine the application requesting the open. After that it gets messy - using the file: scheme a browser can potentially open any file. An email client opens an attachment just to display it - how could DLP know what the program is about to do? So it has to use heuristics to do the right thing.

    There are also completely uncovered destinations like tethered connections (iTunes) or esoteric file systems. Your only choice in this case is not to use them.

    Exemptions

    Quite simple - your email client naturally uses an address book. This likely contains data which would trigger a PII rule. DLP of course can't know whether the application opens the file just to let you select a recipient or to attach it to an outgoing message. There are heuristics - if they err your application might not work. As Sophos is about protection and not absolute-security-before-everything-else-and-above-all certain locations known to contain a applications' configuration and data store are exempted. 

    I have requested the exempted locations to be reviewed (as I've stumbled over Downloads) and John Stringer has promised it.

    I hope it is clearer now.

    Disclaimer: I'm not defending Sophos - client-side interception generally has its limits and if any of the vendors would have found a solution to the "put your pants on all legs at the same time if you are a spider" problem we would already have heard.

    Christian

    :17581
  • Your attempt to explain how the product works is welcome.  And the tech in question was sorry that he did not know about the defect.  Although other techs on other issues at Sophos were always willing to do a screenshare so I could better explain an issue, this one didn't seem to pickup my un-subtle hints.  "Let me show you what I'm talking about!"  To which the reply was, "It must be some Add-in or GPO you're running."

    And I see what you're saying about "storage - usb,sd cards" vs. "applications - Outlook"

    But the killer for me is that in Data Control Policies in the enterprise console, the rules are pretty clearly spelled out.  You pick from lists.  They include Outlook, Lotus Notes, etc.  There's no list that says, "Outlook, but only if you do A-E-I-O-U and sometimes Y"  

    Hopefully, this experience will lead to better understanding by TechSupport of their own products.  Knew I should have gone to the forums earlier.  

    :17583

    Adam in DC

  • But the killer for me is that in Data Control Policies in the enterprise console, the rules are pretty clearly spelled out ... There's no list that says, "Outlook, but only if you do A-E-I-O-U and sometimes Y" 

    Yup, that's one part of BAD - lack of documentation. As you see, John Stringer who happens to be product manager does listen and I think he's doing a good job. I've been of many trades - programming, design, development, operations, productions, strategy, support, ... - and I know how different the view can be from different angles. It's important to speak up - there are neither numbskulls nor gods on "the other side" (that is, in general :smileywink:) ... but I digress.

    Bottom line is - a tool has its limits, nobody and nothing is perfect , our input is important essential.

    Christian

    :17587
  • Hi,

    Sorry for not responding quicker - not checked the forums for a few days. First point is that I apologise for the fustrating experience you had with support. I'll make sure that the teams are aware of the current limitation. We are carrying out work to plug the gap and I'm hoping that the Endpoint 10.1 release will cover as a bare minimum the "Downloads" folder.

    Intercepting email and web traffic on the endpoint is not without its challenges so I'd recommend considering the email appliance, which has the bonus of delivering file based encryption as an action, if you want really robust outbound email scanning for DLP purposes (we are also working on integrating the DLP engine into the web appliance and eventually the Sophos UTM / Astaro ASG). Hope this helps.

    Best regards,

    John

    :17617
  • Just to be clear, will Data Control detect emailing a file from a profile based location if remote file scanning is NOT in the exclusions section of the AV setup?

    Because I removed that setting from my machine, and I can still email the offending file from my downloads directory.  

    :17627

    Adam in DC

  • I see that the attempted explanation is still confusing.
    The inbuilt exclusions (certain system and user folders) exist to avoid application hangs. They are always in effect and the setting for remote files has nothing to do with it. This is not a problem for system and programfiles areas, as there shouldn't be any sensitive files and the typical user has no write access there. The user (profile) are is different - on the one hand a user can put everything everywhere there, on the other hand applications depend on files stored therein. Thus files from these (defined but not really published) locations are never blocked (and consequently not scanned in the first place).

    @John: Just a thought - would it be feasible to log the "bypass" when verbose loggingn is turned on? There's a penalty of course but it would:
    * give an explanation why a file isn't blocked
    * help to understand the reasons for the exemption
    * assure the customer that DLP is working - if not as expected then at least a designed

    Christian
    :17629